📅 Original date posted:2016-05-02
📝 Original message:
Hi all!
I'm about to modify the HTLC scripts for the first time in a while to
prepend: "OP_SIZE 32 OP_EQUALVERIFY". It means that even timing out an
HTLC requires a 32 byte value (say, all-zeroes), but it's the simplest
and shortest change.
Without this, the length of a scriptsig which redeems a transaction
was ill-defined. The wire protocol requires a 32-byte R preimage to
redeem a HTLC, but there was no such on-chain restriction. An attacker
could create an HTLC which requires a different-size preimage to redeem,
then drop the commit tx to the blockchain and redeem it. A node
couldn't use that preimage via the wire protocol.
Or require a 110k preimage to redeem, drop to the blockchain, then
redeem it by sending direct to a miner. A node trying to use that
preimage would create a non-standard transaction, which may not
propagate. Similarly with an almost 4MB preimage which requires you
to grind out a tiny signature to redeem in a tx small enough...
I'm also dropping the per-side HTLC limit from 1500 to 450 in BOLT
#2. This means that a single "steal" transaction which spends all the
inputs is still under 400k cost (thanks segwit!), simplifying the
protocol.
Cheers,
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:46:14
in reply to nevent1q…tzsd
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:46:14Event JSON
{
"id": "289caac18acc69fd50bfa1b4fac2f3fdeda980faa652450b624a2457d20331e3",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314774,
"kind": 1,
"tags": [
[
"e",
"e61b195a7b26433c9f8c8c9f2219114acd7d4f17b3eec61ec84bc6fa45bbd2ae",
"",
"reply"
],
[
"p",
"9456f7acb763eaab2e02bd8e60cf17df74f352c2ae579dce1f1dd25c95dd611c"
]
],
"content": "📅 Original date posted:2016-05-02\n📝 Original message:\nHi all!\n\n I'm about to modify the HTLC scripts for the first time in a while to\nprepend: \"OP_SIZE 32 OP_EQUALVERIFY\". It means that even timing out an\nHTLC requires a 32 byte value (say, all-zeroes), but it's the simplest\nand shortest change.\n\n Without this, the length of a scriptsig which redeems a transaction\nwas ill-defined. The wire protocol requires a 32-byte R preimage to\nredeem a HTLC, but there was no such on-chain restriction. An attacker\ncould create an HTLC which requires a different-size preimage to redeem,\nthen drop the commit tx to the blockchain and redeem it. A node\ncouldn't use that preimage via the wire protocol.\n\n Or require a 110k preimage to redeem, drop to the blockchain, then\nredeem it by sending direct to a miner. A node trying to use that\npreimage would create a non-standard transaction, which may not\npropagate. Similarly with an almost 4MB preimage which requires you\nto grind out a tiny signature to redeem in a tx small enough...\n\n I'm also dropping the per-side HTLC limit from 1500 to 450 in BOLT\n#2. This means that a single \"steal\" transaction which spends all the\ninputs is still under 400k cost (thanks segwit!), simplifying the\nprotocol.\n\nCheers,\nRusty.",
"sig": "f56c173b6f44a5d616d2298c66592c3925d86ac0ff5ecccba7d3198e030f7c0d97eb88adeae8a7aa79b868ea89c951ab6e60283a7f90fd209db325a158b5c602"
}